Potential for malicious abuse of new TLDs is "extraordinary," PayPal exec warns.

Share this story

Plans to populate the Internet with dozens of new top-level domains in the next year could give criminals an easy way to bypass encryption protections safeguarding corporate e-mail servers and company intranets, officials from PayPal and a group of certificate authorities are warning.

The introduction of Internet addresses with suffixes such as ".corp", ".bank", and ".ads" are particularly alarming to these officials because many large and medium-sized businesses use those strings to name machines inside their networks. If the names become available as top-level domains to route traffic over the Internet, private digital certificates that previously worked only over internal networks could potentially be used as a sort of skeleton key that would unlock communications for huge numbers of public addresses.

A secure sockets layer certificate used by employees to access a company intranet designated as ".corp", for instance, might be able to spoof a public credential for the website McDonands.corp or Ford.corp. Employee laptops that are used at an Internet cafe or other location outside of a corporate network might also be tricked into divulging private information.

"If the appropriate service endpoints are available, these clients will next begin to dump confidential data and potentially pull incorrect information and apply damaging state changes," PayPal Information Risk Management officials Brad Hill and Bill Smith wrote in recently published letter to Fadi Chehade and Stephen D. Crocker, the chief executive and chairman respectively of the Internet Corporation for Assigned Names and Numbers (ICANN). "The potential for malicious abuse is extraordinary, the incidental damage will be large even in the absence of malicious intent, and such services will become immediate targets of attack as they inadvertently collect high-value credentials and private data from potentially millions of systems."

The security concerns come in response to ICANN's plans to create a variety of new top-level domains by the end of this year to bolster currently available suffixes such as ".com", ".net", and ".biz". Last week, VeriSign also sharply criticized the plan, saying the speed at which ICANN was moving threatened the stability of the Internet address system.

A report recently published by ICANN's Security and Stability Advisory Committee provides support for the security concerns, which in addition to PayPal are being voiced by members of a group of certificate authorities. Citing data assembled three years ago by the Electronic Frontier Foundation's SSL observatory, the report said there were 1,053 certificates signed by recognized authorities that end in 63 strings which are candidates to become top-level domains. Such a scenario might make it possible for "man-in-the-middle" attackers, who control a connection between a website and end users, to spoof traffic in a way that would completely bypass encryption protections provided by SSL.

"If an attacker obtains a certificate before the new TLD is delegated, he/she could surreptitiously redirect a user from the original site to the attacker site, present his certificate, and the victim would get the Transport Layer Security/SSL (TLS/SSL) lock icon," the ICANN report stated. "This poses a significant risk to the privacy and integrity of HTTPS communications as well as other protocols that use X.509 certificates (e.g. TLS/SSL-based e-mail communication)."

The report went on to say that the number of "short name" certificates that could collide with the new domains is almost certainly much higher. That's because the SSL Observatory only scanned for certificates publicly advertised on the Internet. That leaves most private certificates unaccounted for. Another reason the SSL Observatory is likely understating the problem is that it probably doesn't scan many ports used by e-mail servers.

ICANN officials didn't respond to an e-mail seeking comment for this article.

Averting disaster

Security experts have been pondering such possibilities for a couple years now. As a result, they have devised several ways to avert the worst of the disasters. Specifically, the CA Browser forum, made up of many of the Internet's certificate authorities and browser developers, is telling members to stop issuing "internal name" certificates by October 2015 and to revoke any such valid certificates by October 2016.

Ryan Hurst, CTO of GlobalSign and a participant in the CAB Forum, told Ars the group has also mandated the revocation of any certificates that contain short names that are later designated by ICANN as a top-level domain. CAB Forum members are required to perform the revocations within 120 days. Since it probably takes three or more months for a generic TLD to become operational, that should buy authorities time to revoke any potentially dangerous certificates, but some security experts remain uncomfortable. They warn there is little margin for error, and that the system depends on the willingness of members to comply.

"The primary concern is the speed at which these new gTLDs are going to be adopted by ICANN without giving enough consideration to the potential impact on security and established networks," Jeremy Rowley, the associate general counsel for certificate authority DigiCert, told Ars. "I don't think they have an accurate understanding of the number of internal server names [and] internal networks that are out there and the number of certificates that have been issued to those networks."

Hurst and Rowley, who are both members of the recently formed CA Security Council, also warned that the CAB forum mandates aren't binding on CAs who aren't members, so there's no guaranty the requirements will be followed universally.

Collisions between internally used SSL certificates are only one of many potential risks that stem from the planned expansion. The introduction of domains such as "domain", "localhost", "home", or "belkin" could also cause significant disruption since an untold number of networks use these names to route traffic to computers, servers, and embedded devices internally. Network engineers and Internet policy makers have been aware of these dangers for years. With the rollout of new domains rapidly approaching, security experts said they need more time.

"We're trying to find a find balance between: 'I'm sorry, guys, your network no longer works the way it's worked for the last 20 years,' and this requirement, and we're trying to do it as quickly as possible," Hurst said. "A lot of times this requires ordering new hardware for these guys, hiring consultants to help them plan their directories, and this is not something they do easily."